Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Reference > A

audit_track_paths(5)

Tunable Kernel Parameters
HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

audit_track_paths — enable/disable tracking of current and root directories for auditing subsystem

VALUES

Failsafe

0 (off)

Default

0 (off)

Allowed values

0 (off) or 1 (on)

Recommended values

1 (on) if Audit is turned on or HP-UX HIDS is installed,

0 (off) otherwise.

DESCRIPTION

audit_track_paths is a dynamic tunable and replaces HP-UX HIDS specific static tunable enable_idds.

Setting the tunable audit_track_paths to 1 enables both Audit and HP-UX HIDS to resolve and report absolute pathnames for their accounting purposes. This also causes additional tracking by the kernel, resulting in a small degradation in performance (and increase in kernel memory usage), even if auditing subsystem is not in use. Although it is not required, but it is highly recommended to reboot the system when setting the tunable audit_track_paths to 1 with the intention to be able to record the absolute pathnames. Otherwise, Audit or HP-UX HIDS may not be able to resolve and report absolute pathname consistently.

When audit_track_paths is set to 0, Audit will not resolve absolute pathnames, while HP-UX HIDS will be unable to open the device and collect data. This is because HIDS always expects a complete pathname for its purposes.

The tunable is set to Default state when the system is installed without HP-UX HIDS and its value is set to 0. The tunable is set to 1 when HP-UX HIDS is first installed.

Who Is Expected to Change This Tunable?

Administrator with proper privileges can change the value of audit_track_paths depending on the restrictions stated below.

Restrictions on Changing

The tunable audit_track_paths is a dynamic tunable so any changes to this will take effect immediately, provided following conditions are satisfied:

1)

If the new tunable value is 0 (and not Default), then HPUX HIDS will not be able to open the IDDS device; and therefore, it will not be able to run any intrusion detection template that requires system call audit records. This restriction is enforced to avoid HIDS reporting incomplete or relative pathnames.

2)

If /dev/idds is opened, then the administrator will not be allowed to change the value of the tunable.

3)

If the tunable is set to Default, IDDS will self-tune its value to 1 when the IDDS device is opened by HPUX HIDS.

4)

If the tunable value is set to Default, Audit will self-tune its value to 1 at the time of turning ON auditing.

5)

If Audit is already ON, the administrator is not allowed to change the tunable value.

6)

If the administrator changes the tunable value from 0 to 1, a reboot of the system is recommended to avoid reporting of partial pathnames by HP-UX HIDS or Audit.

When Should the Tunable Be Turned On?

The tunable audit_track_paths should be turned ON if either HP-UX HIDS or Audit is going to be started.

What Are the Side Effects of Turning the Tunable On?

The name of the current working directory (and root directory) of every process is tracked, resulting in a change in memory usage and performance of the system.

When Should the Tunable Be Turned Off?

When both HIDS and Audit are OFF.

What Are the Side Effects of Turning the Tunable Off?

When the tunable is OFF, HP-UX HIDS is unable to use any detection template that requires system call audit records (such as the "Modification of Files/Directories Template"). See HP-UX HIDS documentation for more information about templates. Also in this case Audit will report relative pathnames in the audit log.

What Other Tunables Should Be Changed at the Same Time?

This tunable is independent of other tunables.

WARNINGS

All HP-UX kernel tunable parameters are release-specific. This parameter may be removed or have its meaning changed in future releases of HP-UX.

Installation of optional kernel software, from HP or other vendors, may cause changes to tunable parameter values. After installation, some tunable parameters may no longer be at the default or recommended values. For information about the effects of installation on tunable values, consult the documentation for the kernel software being installed. For information about optional kernel software that was factory installed on your system, see HP-UX Release Notes at http://docs.hp.com.

AUTHOR

audit_track_paths was developed by HP.

SEE ALSO

kctune(1M), audit(5), ids.cf(5).



audit_memory_usage
  		 


B  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.